As of this date (December 19th, 2017), no updated firmware has beenoffered for testing, or released to the public.

Notes--------In all examples below, the TL-SG108E was configured with a LAN IPaddress of 192.168.1.6.Many thanks to Simon @ TP-Link for the prompt email responses.

CVE-2017-17745 - Stored Cross Site Scripting (XSS)-------------------------------------------------------------------------* Device is not validating input to the script system_name_set.cgi onthe TL-SG108E or on output to screen.* Only the sysName variable in system_name_set.cgi was tested in thisinstance. Other fields in the management web-application may havesimilar problems, these were not tested.

Risks:* In some network configurations (such as behind a NAT router, asoutlined in CVE-2017-17746) a malicious user could store XSS on theTL-SG108E and cause the administrator of the TL-SG108E to executearbitrary javascript code in their browser.

Proof of Concept:* Authenticate to the device in a browser* Execute the following command from a terminal window: curl -vvvs -X'GET' 'http://192.168.1.6/system_name_set.cgi?sysName=TL-SG"\]\};alert(1);</script>'* To trigger the XSS: Browse -> System -> System Info. Alert boxcontaining '1' displays, indicating successful javascript execution.

Mitigation:* Set the device password to a strong password.* Restrict access to the device from approved administratorworkstations until an updated firmware is available.

CVE-2017-17746 - Weak access control------------------------------------------------------* All information regarding authenticated sessions is stored on theTL-SG108E, no cookies are sent from the device to the client aftersuccessful authentication.

Risks:* Any other browser on a PC which has authenticated, is then alsotreated as authenticated (Example: Login in Chrome, then open Firefoxand browse to the TL-SG108E, and the session is already authenticated)* If the TL-SG108E is on the other side of a NAT router, ALL clientsbehind the NAT are treated as authenticated.

Steps to reproduce:* Authenticate from any PC.* Any other browser on that system is then able to access theweb-interface without entering authentication information.* By extension, guest VMs on that machine are then automatically authenticated.

Mitigation:* Restrict access to the device from approved administratorworkstations until an updated firmware is available.* Prevent any access to the web interface from devices behind a NAT router.

CVE-2017-17747 - Weak access control on Logout.htm-------------------------------------------------------------------------* Logout.htm can be called from any IP address, ending anyauthenticated sessions on the device.

Risks:* A denial of service condition can be triggered by calling the logoutscript in a loop from any machine on the network regardless of theirauthentication status, effectively making it impossible to access theTL-SG108E management web-application.

Steps to reproduce:* Authenticate from any PC.* From another PC with a different IP address, access the logout page(http://192.168.1.6/Logout.htm)* The session on the first PC has been terminated.

Mitigation:* Restrict access to the device from approved administratorworkstations until an updated firmware is available.